Kueri untuk tabel Peristiwa
Untuk informasi tentang menggunakan kueri ini di portal Azure, lihat tutorial Analitik Log. Untuk REST API, lihat Kueri.
Persentase penggunaan memori
Untuk persentase penggunaan memori simpul rata-rata tampilan kluster Anda.
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
//Unit for MemoryUsage is in percentage(%),TotalMemory, and UsedMemory are in bytes
//Please use Nodename to set alert for each node
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3000"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend servers_information = parse_json(RenderedDescription).m_servers
| mv-expand servers_information
| extend Nodename = tostring(servers_information.m_name)
| extend TotalMemory = todecimal(servers_information.m_totalPhysicalMemoryInBytes)
| extend UsedMemory = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(servers_information.m_usedPhysicalMemoryInBytes))
| extend MemoryUsage = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(round(UsedMemory / TotalMemory * 100, 0)))
Persentase penggunaan CPU simpul rata-rata
Untuk tampilan kluster Anda persentase penggunaan CPU simpul rata-rata.
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
//Unit for UsedCpuPercentage is in percentage(%)
//Please use Nodename to set alert for each node
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3000"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend servers_information = parse_json(RenderedDescription).m_servers
| mv-expand servers_information
| extend Nodename = tostring(servers_information.m_name)
| extend UsedCpuPercentage = toint(servers_information.m_totalProcessorsUsedPercentage)
Komputer virtual gagal
Untuk kluster Anda, lihat komputer virtual yang gagal dalam kluster.
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3003"
| extend ClusterName = tostring(parse_xml(EventData).DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(parse_xml(EventData).DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend description = parse_json(RenderedDescription)
| extend VmsFailed = toint(description.m_totalVmsFailed)
Total komputer virtual dalam kluster.
Untuk kluster Anda, lihat total, berjalan, berhenti, dan gagal komputer virtual dalam kluster
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3003"
| extend ClusterName = tostring(parse_xml(EventData).DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(parse_xml(EventData).DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend description = parse_json(RenderedDescription)
| extend VmsStopped = toint(description.m_totalVmsStopped)
Kapasitas volume yang tersedia dalam kluster.
Melihat kapasitas yang tersedia (dalam Byte) untuk volume dalam kluster
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend Volumes = tostring(volumes_information.m_Label)
| extend TotalCap = todecimal(volumes_information.m_Size)
| extend AvailableCap = TotalCap - todecimal(volumes_information.m_SizeUsed)
Latensi volume
Kueri ini memperlihatkan latensi untuk volume Anda.
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend VolumeName = tostring(volumes_information.m_Label)
| extend Latency = todouble(volumes_information.m_AverageLatency)
| extend Latency = iff(Latency < 0, 0.0, Latency)
IOPS volume
Kueri ini menunjukkan operasi output input per detik untuk volume Anda dalam kluster.
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID to view IOPS of volumes in a cluster
//Unit for IOPS will be IOPS/s
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend VolumesName = tostring(volumes_information.m_Label)
| extend Iops = todouble(volumes_information.m_TotalIops)
| extend Iops = iff(Iops < 0, 0.0, Iops)
Throughput volume
Kueri ini memperlihatkan throughput untuk volume Anda dalam kluster.
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
//Unit for throughput is B/s
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend VolumeName = tostring(volumes_information.m_Label)
| extend Throughput = todouble(volumes_information.m_TotalThroughput)
| extend Throughput = iff(Throughput < 0, 0.0, Throughput)
Node kluster tidak berfungsi
Dapatkan pemberitahuan jika node tidak berfungsi dalam kluster.
//Select your log analytics workspace and replace clusterarmId1 with your cluster arm ID
//Please split dimensions by clusterarmID and dimension name as faulting resource ID to set up alerts for each node within a cluster. Please check include all future values to get alerts for future dimension names.
Event
| where EventLog =~ "Microsoft-Windows-Health/Operational"
| extend description = parse_json(RenderedDescription)
| extend CorrelationId = tostring(description.CorrelationId)
| join kind=leftsemi (Event
| where EventLog =~ "Microsoft-Windows-Health/Operational"
| extend description = parse_json(RenderedDescription)
| extend ClusterArmId = tostring(description.ArmId)
//| where ClusterArmId in~ ('clusterarmId1', 'clusterarmId2', 'clusterarmId3')
| where tostring(description.IsLastMessage) =~ 'true'
| extend CorrelationId = tostring(description.CorrelationId)
| summarize arg_max(TimeGenerated, *) by ClusterArmId
| project CorrelationId)
on CorrelationId
| extend ClusterArmId = tostring(description.ArmId)
| where tostring(description.Fault.RootObjectType) == 'Microsoft.Health.EntityType.Cluster'
| extend Fault = description.Fault
| extend ShortDescription = split(tostring(Fault.Type), '.')[-1]
| extend Faulttype= Fault.Type
| where Faulttype == "Microsoft.Health.FaultType.Server.Down"
| extend Severity = toint(Fault.Severity)
| extend FaultingResourceType = split(tostring(Fault.ObjectType), '.')[-1]
| extend FaultingResourceId = tostring(Fault.ObjectId)
| extend ReportedTime = datetime_add('Microsecond', tolong(Fault.Timestamp) / 10, make_datetime(1601, 1, 1))
| extend Detail = pack(
"Severity", iff(Severity == 0, "Healthy", iff(Severity == 1, "Warning", iff(Severity == 2, "Critical", "Unknown"))),
"Faulting Resource ID", FaultingResourceId,
"Faulting Resource Type", FaultingResourceType,
"Faulttype", Faulttype,
"Reported Time", ReportedTime,
"Short Description", ShortDescription,
"Description", tostring(Fault.Description),
"clusterARMId", tostring(ClusterArmId),
"Remediation", tostring(Fault.Remediation))
| sort by ReportedTime asc
| limit 100
Persentase penggunaan memori
Untuk persentase penggunaan memori simpul rata-rata tampilan kluster Anda.
//Select your log analytics workspace and replace clusterarmId1 with your cluster arm ID
//Unit for MemoryUsage is in percentage(%),TotalMemory, and UsedMemory are in bytes
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3000"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
//| where ClusterArmId in~ ('clusterarmId1', 'clusterarmId2', 'clusterarmId3')
| summarize arg_max(TimeGenerated, *) by ClusterArmId
| extend servers_information = parse_json(RenderedDescription).m_servers
| mv-expand servers_information
| extend Nodename = tostring(servers_information.m_name)
| extend TotalMemory = todecimal(servers_information.m_totalPhysicalMemoryInBytes)
| extend UsedMemory = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(servers_information.m_usedPhysicalMemoryInBytes))
| extend MemoryUsage = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(round(UsedMemory / TotalMemory * 100, 0)))
| extend MemoryUsageint = toint(MemoryUsage)
| where Nodename != ""
| limit 100
Diagram waktu latensi penyerapan (end-to-end) - Tabel peristiwa
Buat bagan latensi penyerapan ke tabel Peristiwa dalam 1 hari terakhir.
Event
| where TimeGenerated > ago(1d)
| project TimeGenerated, IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s
| render timechart title = "Ingestion latency: Event table"
Perlihatkan tren peristiwa yang dipilih
Bagan berapa kali peristiwa dilaporkan sepanjang hari terakhir.
// To create an alert for this query, click '+ New alert rule'
Event
| where EventID == 44 // this ID indicates Windows Update started downloading an update
| summarize count() by bin(TimeGenerated, 1h), Computer, _ResourceId // bin is used to set the time grain to 1 hour
| render barchart
Peristiwa kesalahan pada komputer kehilangan pembaruan keamanan co kritis
Peristiwa kesalahan untuk komputer yang tidak memiliki pembaruan penting atau keamanan yang diperlukan.
// To create an alert for this query, click '+ New alert rule'
Event
| where EventLevelName == "error"
| join kind=inner (Update |where (Classification == "Security Updates" or Classification == "Critical Updates") and UpdateState == "Needed" and Optional == "false" | distinct Computer) on Computer
| sort by TimeGenerated desc
Semua Peristiwa dalam satu jam terakhir
Semua Peristiwa dalam satu jam terakhir.
Event
| where TimeGenerated > ago(1h)
| sort by TimeGenerated desc
Peristiwa dimulai
Peristiwa dimulai oleh ID peristiwa.
Event
| where RenderedDescription contains "started"
| summarize count() by EventID
Peristiwa menurut sumber peristiwa
Peristiwa menurut sumber peristiwa.
Event
| summarize count() by Source
Peristiwa menurut ID peristiwa
10 peristiwa teratas menurut ID peristiwa.
Event
| summarize count() by EventID
| top 10 by count_
Peristiwa peringatan
Peristiwa peringatan diurutkan menurut waktu.
Event
| where EventLevelName == "warning"
| sort by TimeGenerated desc
Jumlah peristiwa peringatan
Jumlah peristiwa peringatan menurut ID peristiwa.
Event
| where EventLevelName == "warning"
| summarize count() by EventID
Peristiwa di OM antara 2000 hingga 3000
Peristiwa manger operasi dengan ID dalam kisaran 2000 hingga 3000.
Event
| where EventLog == "Operations Manager" and (EventID >= 2000 and EventID <= 3000)
| sort by TimeGenerated desc
Pengaturan kebijakan Windows Fireawall
Pengaturan kebijakan Windows Fireawall diubah.
Event
| where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008
| sort by TimeGenerated desc
Pengaturan kebijakan Windows Fireawall diubah oleh komputer
Pengaturan kebijakan Windows Fireawall diubah oleh komputer.
Event
| where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008
| summarize count() by Computer
| limit 10000